Unable to connect using MullgardVPN config and Whonix
Posted: Sat Sep 10, 2022 1:26 am
Hello. I am trying to connect using a config file for openvpn that was generated by
the MullgardVPN website config tool. I am trying to make a proxy for Whonix.
My goal is user>tor>openvpn>internet.
When I run OpenVPN in the terminal I get "initialized sequence complete" but then it
sits for maybe 30 seconds and continuously fails and tries to restart. Here is the
log:
user@VPN-Gateway:/home/mullvad$ sudo openvpn mullvad_us_sjc.conf
2022-09-09 20:53:20 Note: option tun-ipv6 is ignored because modern operating
systems do not need special IPv6 tun handling anymore.
2022-09-09 20:53:20 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in
--data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore
--cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change
--cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this
warning.
2022-09-09 20:53:20 WARNING: file 'mullvad_userpass.txt' is group or others accessible
2022-09-09 20:53:20 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]
[EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-09-09 20:53:20 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
2022-09-09 20:53:20 NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
2022-09-09 20:53:20 TCP/UDP: Preserving recently used remote address:
[AF_INET]198.54.134.34:443
2022-09-09 20:53:20 Socket Buffers: R=[131072->425984] S=[16384->425984]
2022-09-09 20:53:20 Attempting to establish TCP connection with
[AF_INET]198.54.134.34:443 [nonblock]
2022-09-09 20:53:20 TCP connection established with [AF_INET]198.54.134.34:443
2022-09-09 20:53:20 TCP_CLIENT link local: (not bound)
2022-09-09 20:53:20 TCP_CLIENT link remote: [AF_INET]198.54.134.34:443
2022-09-09 20:53:21 TLS: Initial packet from [AF_INET]198.54.134.34:443,
sid=e709b870 fc6af0f7
2022-09-09 20:53:22 VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom
AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=security@mullvad.net
2022-09-09 20:53:22 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB,
OU=Mullvad, CN=Mullvad Intermediate CA v4, emailAddress=security@mullvad.net
2022-09-09 20:53:22 VERIFY KU OK
2022-09-09 20:53:22 Validating certificate extended key usage
2022-09-09 20:53:22 ++ Certificate has EKU (str) TLS Web Server Authentication,
expects TLS Web Server Authentication
2022-09-09 20:53:22 VERIFY EKU OK
2022-09-09 20:53:22 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB,
OU=Mullvad, CN=us-sjc-ovpn-001.mullvad.net, emailAddress=security@mullvad.net
2022-09-09 20:53:23 WARNING: 'link-mtu' is used inconsistently, local='link-mtu
1559', remote='link-mtu 1560'
2022-09-09 20:53:23 WARNING: 'comp-lzo' is present in remote config but missing in
local config, remote='comp-lzo'
2022-09-09 20:53:23 Control Channel: TLSv1.3, cipher TLSv1.3
TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA
2022-09-09 20:53:23 [us-sjc-ovpn-001.mullvad.net] Peer Connection Initiated with
[AF_INET]198.54.134.34:443
2022-09-09 20:53:24 SENT CONTROL [us-sjc-ovpn-001.mullvad.net]: 'PUSH_REQUEST'
(status=1)
2022-09-09 20:53:25 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS
10.5.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6
4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway
10.5.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6
fdda:d0d0:cafe:443::1008/64 fdda:d0d0:cafe:443::,ifconfig 10.5.0.10
255.255.0.0,peer-id 0,cipher AES-256-GCM'
2022-09-09 20:53:25 WARNING: You have specified redirect-gateway and
redirect-private at the same time (or the same option multiple times). This is not
well supported and may lead to unexpected results
2022-09-09 20:53:25 OPTIONS IMPORT: compression parms modified
2022-09-09 20:53:25 OPTIONS IMPORT: --socket-flags option modified
2022-09-09 20:53:25 Socket flags: TCP_NODELAY=1 succeeded
2022-09-09 20:53:25 OPTIONS IMPORT: --ifconfig/up options modified
2022-09-09 20:53:25 OPTIONS IMPORT: route options modified
2022-09-09 20:53:25 OPTIONS IMPORT: route-related options modified
2022-09-09 20:53:25 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-09-09 20:53:25 OPTIONS IMPORT: peer-id set
2022-09-09 20:53:25 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-09-09 20:53:25 OPTIONS IMPORT: data channel crypto options modified
2022-09-09 20:53:25 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-09-09 20:53:25 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
2022-09-09 20:53:25 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
2022-09-09 20:53:25 net_route_v4_best_gw query: dst 0.0.0.0
2022-09-09 20:53:25 net_route_v4_best_gw result: via 10.137.0.13 dev eth0
2022-09-09 20:53:25 ROUTE_GATEWAY 10.137.0.13
2022-09-09 20:53:25 GDG6: remote_host_ipv6=n/a
2022-09-09 20:53:25 net_route_v6_best_gw query: dst ::
2022-09-09 20:53:25 sitnl_send: rtnl: generic error (-101): Network is unreachable
2022-09-09 20:53:25 ROUTE6: default_gateway=UNDEF
2022-09-09 20:53:25 TUN/TAP device tun0 opened
2022-09-09 20:53:25 net_iface_mtu_set: mtu 1500 for tun0
2022-09-09 20:53:25 net_iface_up: set tun0 up
2022-09-09 20:53:25 net_addr_v4_add: 10.5.0.10/16 dev tun0
2022-09-09 20:53:25 net_iface_mtu_set: mtu 1500 for tun0
2022-09-09 20:53:25 net_iface_up: set tun0 up
2022-09-09 20:53:25 net_addr_v6_add: fdda:d0d0:cafe:443::1008/64 dev tun0
2022-09-09 20:53:25 /etc/openvpn/update-resolv-conf tun0 1500 1554 10.5.0.10
255.255.0.0 init
2022-09-09 20:53:25 net_route_v4_add: 198.54.134.34/32 via 10.137.0.13 dev [NULL]
table 0 metric -1
2022-09-09 20:53:25 net_route_v4_add: 0.0.0.0/1 via 10.5.0.1 dev [NULL] table 0
metric -1
2022-09-09 20:53:25 net_route_v4_add: 128.0.0.0/1 via 10.5.0.1 dev [NULL] table 0
metric -1
2022-09-09 20:53:25 add_route_ipv6(::/2 -> fdda:d0d0:cafe:443:: metric -1) dev tun0
2022-09-09 20:53:25 net_route_v6_add: ::/2 via :: dev tun0 table 0 metric -1
2022-09-09 20:53:25 add_route_ipv6(4000::/2 -> fdda:d0d0:cafe:443:: metric -1) dev tun0
2022-09-09 20:53:25 net_route_v6_add: 4000::/2 via :: dev tun0 table 0 metric -1
2022-09-09 20:53:25 add_route_ipv6(8000::/2 -> fdda:d0d0:cafe:443:: metric -1) dev tun0
2022-09-09 20:53:25 net_route_v6_add: 8000::/2 via :: dev tun0 table 0 metric -1
2022-09-09 20:53:25 add_route_ipv6(c000::/2 -> fdda:d0d0:cafe:443:: metric -1) dev tun0
2022-09-09 20:53:25 net_route_v6_add: c000::/2 via :: dev tun0 table 0 metric -1
2022-09-09 20:53:25 WARNING: this configuration may cache passwords in memory -- use
the auth-nocache option to prevent this
2022-09-09 20:53:25 Initialization Sequence Completed
2022-09-09 20:54:25 Connection reset, restarting [0]
2022-09-09 20:54:25 SIGUSR1[soft,connection-reset] received, process restarting
2022-09-09 20:54:25 Restart pause, 5 second(s)
2022-09-09 20:54:30 NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
2022-09-09 20:54:30 TCP/UDP: Preserving recently used remote address:
[AF_INET]198.54.134.34:443
2022-09-09 20:54:30 Socket Buffers: R=[131072->425984] S=[16384->425984]
2022-09-09 20:54:30 Attempting to establish TCP connection with
[AF_INET]198.54.134.34:443 [nonblock]
2022-09-09 20:54:30 TCP: connect to [AF_INET]198.54.134.34:443 failed: No route to host
2022-09-09 20:54:30 SIGUSR1[connection failed(soft),init_instance] received, process
restarting
2022-09-09 20:54:30 Restart pause, 5 second(s)
2022-09-09 20:54:35 NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
2022-09-09 20:54:35 TCP/UDP: Preserving recently used remote address:
[AF_INET]198.54.134.66:443
2022-09-09 20:54:35 Socket Buffers: R=[131072->425984] S=[16384->425984]
2022-09-09 20:54:35 Attempting to establish TCP connection with
[AF_INET]198.54.134.66:443 [nonblock]
Here are my config file settings:
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto tcp
auth-user-pass mullvad_userpass.txt
ca mullvad_ca.crt
tun-ipv6
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
remote-random
remote 198.54.134.34 443 # us-sjc-ovpn-001
remote 198.54.134.66 443 # us-sjc-ovpn-003
remote 198.54.134.50 443 # us-sjc-ovpn-002
redirect-gateway def1
Will you please help me troubleshoot this issue?
the MullgardVPN website config tool. I am trying to make a proxy for Whonix.
My goal is user>tor>openvpn>internet.
When I run OpenVPN in the terminal I get "initialized sequence complete" but then it
sits for maybe 30 seconds and continuously fails and tries to restart. Here is the
log:
user@VPN-Gateway:/home/mullvad$ sudo openvpn mullvad_us_sjc.conf
2022-09-09 20:53:20 Note: option tun-ipv6 is ignored because modern operating
systems do not need special IPv6 tun handling anymore.
2022-09-09 20:53:20 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in
--data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore
--cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change
--cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this
warning.
2022-09-09 20:53:20 WARNING: file 'mullvad_userpass.txt' is group or others accessible
2022-09-09 20:53:20 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]
[EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-09-09 20:53:20 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
2022-09-09 20:53:20 NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
2022-09-09 20:53:20 TCP/UDP: Preserving recently used remote address:
[AF_INET]198.54.134.34:443
2022-09-09 20:53:20 Socket Buffers: R=[131072->425984] S=[16384->425984]
2022-09-09 20:53:20 Attempting to establish TCP connection with
[AF_INET]198.54.134.34:443 [nonblock]
2022-09-09 20:53:20 TCP connection established with [AF_INET]198.54.134.34:443
2022-09-09 20:53:20 TCP_CLIENT link local: (not bound)
2022-09-09 20:53:20 TCP_CLIENT link remote: [AF_INET]198.54.134.34:443
2022-09-09 20:53:21 TLS: Initial packet from [AF_INET]198.54.134.34:443,
sid=e709b870 fc6af0f7
2022-09-09 20:53:22 VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom
AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=security@mullvad.net
2022-09-09 20:53:22 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB,
OU=Mullvad, CN=Mullvad Intermediate CA v4, emailAddress=security@mullvad.net
2022-09-09 20:53:22 VERIFY KU OK
2022-09-09 20:53:22 Validating certificate extended key usage
2022-09-09 20:53:22 ++ Certificate has EKU (str) TLS Web Server Authentication,
expects TLS Web Server Authentication
2022-09-09 20:53:22 VERIFY EKU OK
2022-09-09 20:53:22 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB,
OU=Mullvad, CN=us-sjc-ovpn-001.mullvad.net, emailAddress=security@mullvad.net
2022-09-09 20:53:23 WARNING: 'link-mtu' is used inconsistently, local='link-mtu
1559', remote='link-mtu 1560'
2022-09-09 20:53:23 WARNING: 'comp-lzo' is present in remote config but missing in
local config, remote='comp-lzo'
2022-09-09 20:53:23 Control Channel: TLSv1.3, cipher TLSv1.3
TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA
2022-09-09 20:53:23 [us-sjc-ovpn-001.mullvad.net] Peer Connection Initiated with
[AF_INET]198.54.134.34:443
2022-09-09 20:53:24 SENT CONTROL [us-sjc-ovpn-001.mullvad.net]: 'PUSH_REQUEST'
(status=1)
2022-09-09 20:53:25 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS
10.5.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6
4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway
10.5.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6
fdda:d0d0:cafe:443::1008/64 fdda:d0d0:cafe:443::,ifconfig 10.5.0.10
255.255.0.0,peer-id 0,cipher AES-256-GCM'
2022-09-09 20:53:25 WARNING: You have specified redirect-gateway and
redirect-private at the same time (or the same option multiple times). This is not
well supported and may lead to unexpected results
2022-09-09 20:53:25 OPTIONS IMPORT: compression parms modified
2022-09-09 20:53:25 OPTIONS IMPORT: --socket-flags option modified
2022-09-09 20:53:25 Socket flags: TCP_NODELAY=1 succeeded
2022-09-09 20:53:25 OPTIONS IMPORT: --ifconfig/up options modified
2022-09-09 20:53:25 OPTIONS IMPORT: route options modified
2022-09-09 20:53:25 OPTIONS IMPORT: route-related options modified
2022-09-09 20:53:25 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-09-09 20:53:25 OPTIONS IMPORT: peer-id set
2022-09-09 20:53:25 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-09-09 20:53:25 OPTIONS IMPORT: data channel crypto options modified
2022-09-09 20:53:25 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-09-09 20:53:25 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
2022-09-09 20:53:25 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
bit key
2022-09-09 20:53:25 net_route_v4_best_gw query: dst 0.0.0.0
2022-09-09 20:53:25 net_route_v4_best_gw result: via 10.137.0.13 dev eth0
2022-09-09 20:53:25 ROUTE_GATEWAY 10.137.0.13
2022-09-09 20:53:25 GDG6: remote_host_ipv6=n/a
2022-09-09 20:53:25 net_route_v6_best_gw query: dst ::
2022-09-09 20:53:25 sitnl_send: rtnl: generic error (-101): Network is unreachable
2022-09-09 20:53:25 ROUTE6: default_gateway=UNDEF
2022-09-09 20:53:25 TUN/TAP device tun0 opened
2022-09-09 20:53:25 net_iface_mtu_set: mtu 1500 for tun0
2022-09-09 20:53:25 net_iface_up: set tun0 up
2022-09-09 20:53:25 net_addr_v4_add: 10.5.0.10/16 dev tun0
2022-09-09 20:53:25 net_iface_mtu_set: mtu 1500 for tun0
2022-09-09 20:53:25 net_iface_up: set tun0 up
2022-09-09 20:53:25 net_addr_v6_add: fdda:d0d0:cafe:443::1008/64 dev tun0
2022-09-09 20:53:25 /etc/openvpn/update-resolv-conf tun0 1500 1554 10.5.0.10
255.255.0.0 init
2022-09-09 20:53:25 net_route_v4_add: 198.54.134.34/32 via 10.137.0.13 dev [NULL]
table 0 metric -1
2022-09-09 20:53:25 net_route_v4_add: 0.0.0.0/1 via 10.5.0.1 dev [NULL] table 0
metric -1
2022-09-09 20:53:25 net_route_v4_add: 128.0.0.0/1 via 10.5.0.1 dev [NULL] table 0
metric -1
2022-09-09 20:53:25 add_route_ipv6(::/2 -> fdda:d0d0:cafe:443:: metric -1) dev tun0
2022-09-09 20:53:25 net_route_v6_add: ::/2 via :: dev tun0 table 0 metric -1
2022-09-09 20:53:25 add_route_ipv6(4000::/2 -> fdda:d0d0:cafe:443:: metric -1) dev tun0
2022-09-09 20:53:25 net_route_v6_add: 4000::/2 via :: dev tun0 table 0 metric -1
2022-09-09 20:53:25 add_route_ipv6(8000::/2 -> fdda:d0d0:cafe:443:: metric -1) dev tun0
2022-09-09 20:53:25 net_route_v6_add: 8000::/2 via :: dev tun0 table 0 metric -1
2022-09-09 20:53:25 add_route_ipv6(c000::/2 -> fdda:d0d0:cafe:443:: metric -1) dev tun0
2022-09-09 20:53:25 net_route_v6_add: c000::/2 via :: dev tun0 table 0 metric -1
2022-09-09 20:53:25 WARNING: this configuration may cache passwords in memory -- use
the auth-nocache option to prevent this
2022-09-09 20:53:25 Initialization Sequence Completed
2022-09-09 20:54:25 Connection reset, restarting [0]
2022-09-09 20:54:25 SIGUSR1[soft,connection-reset] received, process restarting
2022-09-09 20:54:25 Restart pause, 5 second(s)
2022-09-09 20:54:30 NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
2022-09-09 20:54:30 TCP/UDP: Preserving recently used remote address:
[AF_INET]198.54.134.34:443
2022-09-09 20:54:30 Socket Buffers: R=[131072->425984] S=[16384->425984]
2022-09-09 20:54:30 Attempting to establish TCP connection with
[AF_INET]198.54.134.34:443 [nonblock]
2022-09-09 20:54:30 TCP: connect to [AF_INET]198.54.134.34:443 failed: No route to host
2022-09-09 20:54:30 SIGUSR1[connection failed(soft),init_instance] received, process
restarting
2022-09-09 20:54:30 Restart pause, 5 second(s)
2022-09-09 20:54:35 NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
2022-09-09 20:54:35 TCP/UDP: Preserving recently used remote address:
[AF_INET]198.54.134.66:443
2022-09-09 20:54:35 Socket Buffers: R=[131072->425984] S=[16384->425984]
2022-09-09 20:54:35 Attempting to establish TCP connection with
[AF_INET]198.54.134.66:443 [nonblock]
Here are my config file settings:
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto tcp
auth-user-pass mullvad_userpass.txt
ca mullvad_ca.crt
tun-ipv6
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
remote-random
remote 198.54.134.34 443 # us-sjc-ovpn-001
remote 198.54.134.66 443 # us-sjc-ovpn-003
remote 198.54.134.50 443 # us-sjc-ovpn-002
redirect-gateway def1
Will you please help me troubleshoot this issue?